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Introduction 

Petri nets are a well-known model of concurrent and distributed systems, widely used 
both in theoretical and applicative areas. In classical approaches, such as |34| . nets are 
intended to represent closed, completely specified systems evolving autonomously through 
the firing of transitions. In order to represent open systems, namely systems which can 
interact with the surrounding environment or, from a different perspective, systems which 
are only partially specified, several extensions of the basic model of Petri nets have been 
considered in the literature. Conceptually, this effort dates back to the early works on net 
composition and refinement and to the studies concerning the development of compositional 
semantics for Petri nets (a discussion of the related literature can be found in the concluding 
section). 

Generally speaking, important issues that must be faced when modelling open systems 
can be summarised as follows. Firstly, a large (possibly still open) system is typically 
built out of smaller open components. Syntactically, an open system is equipped with 
suitable interfaces, over which the interaction with the external environment can take place. 
Semantically, openness can be represented by defining the behaviour of a component as if 
it were embedded in general environments, determining any possible interaction over the 
interfaces. 

Secondly, often the building components of an open system are not statically deter- 
mined, but they can change during the evolution of the system, according to predefined 
reconfiguration rules triggered by internal or external solicitations. 

The work in this paper outlines a framework where open systems can be modelled 
as Petri nets, capturing both the requirements mentioned above. Observational semantics 
based on (weak) bisimulation are shown to be congruences with respect to the composition 
operation defined over Petri nets. Building on this, suitable reconfigurations of such sys- 
tems can be specified as net rewritings, which preserve the behaviour of the system. The 
relation with other approaches in the literature addressing similar issues will be discusses 
in Section [71 

The framework presented here is based on so-called open nets, a mild generalisation 
of ordinary Petri nets introduced in [31 H) to answer the first of the requirements above, 
i.e., the possibility of interacting with the environment and of composing a larger net out of 
smaller open components. An open net is an ordinary net with a distinguished set of places, 
designated as open, through which the net can interact with the surrounding environment. 
As a consequence of such interaction, tokens can be freely generated and removed in open 
places. In the mentioned papers open nets are endowed with a composition operation, 
characterised as a pushout in the corresponding category, suitable to model both interaction 
through open places and synchronisation of transitions. 

In the first part of the paper, after having extended the existing theory for open nets 
to deal with marked nets, we introduce bisimulation-based observational equivalences for 
open nets. Following a common intuition about reactive systems (see, e.g., [431 [29] or 
the recent |20j ) such equivalences are based on the observation of the interactions between 
the given net and the surrounding environment. The framework treats uniformly strong 
bisimilarity, where every transition firing is observed, and weak bisimilarity, where a subset 
of unobservable transition labels is fixed (corresponding to r-actions in process calculi) and 
the firings of transitions carrying such labels are considered invisible. We also consider step 
bisimilarity (see, e.g., [SI [30]), obtained by taking as observations possibly parallel steps 
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rather than single firings of transitions, thus capturing, to some extent, the concurrency 
properties of the system. 

The considered notions of bisimilarity are shown to be congruences with respect to the 
composition operation over open nets. Interestingly enough, this holds also when the set 
of non-observable labels is not empty, i.e., for weak bisimilarities: some natural questions 
regarding the relation with weak bisimilarity in CCS are addressed. In addition, we propose 
an up-to technique for facilitating bisimilarity proofs. 

Exploiting the results in the first part of the paper we next introduce a framework for 
open net reconfigurations. The fact that open net components are combined by means of 
pushouts naturally suggests a setting for specifying net reconfigurations, based on double- 
pushout (DPO) rewriting p3]. Using the congruence result for bisimilarity we identify 
classes of transformation rules which ensure that reconfigurations of the system do not 
affect its observational behaviour. 

In order to understand this paper some basic knowledge of category theory (see for 
instance [32J) is required. 

1. Marked Open Nets 

An open net, as introduced in [31 d] , is an ordinary P/T Petri net with a distinguished 
set of open places, which represent the interface through which the environment can interact 
with the net. An open place can be an input place, meaning that the environment can put 
tokens into it, or an output place, from which the environment can remove tokens, or both. 
In this section we introduce the basic notions for open nets as presented in [3], generalising 
them to nets with initial marking: this will be needed in the treatment of bisimilarity in 
Section 01 

Given a set A we write 2 X for the powerset of A and X® for the free commutative 
monoid over X, with monoid operation 0, whose elements will be referred as multisets over 
X. Moreover, given a function h : X — ► Y we denote by the same symbol h : 2 X — > 2 Y its 
extension to sets, and by h® : X® — > Y® its monoidal extension. Given a multiset u £ X® , 
with u = Q) xe x u x ' x i f° r £ £ A we will write u(x) to denote the coefficient u x . With little 
abuse of notation, we will write x £ u iff u(x) > 1. Given u,v £ A® we write u < v when 
u(x) < v(x) for any x £ A. In this case the multiset difference v © u is the multiset w such 
that u © w = v. The symbol denotes the empty multiset. 

Definition 1.1 (multiset projection). Given a function / : A — ► Y and a multiset u £ Y® 
we denote by (u[f) £ A® the projection of u along f, which is the multiset over A defined 
as («|/) = ® xeX u f(x) ■ x. 

In other words, (-if) ■ Y® — > A® is the monoidal extension of the function (-if) ■ 
Y -»■ A® defined by (y | /) — X\ © ... x n when / x (y) = {x±, . . . ,x n }. For instance, 
given / : {so,si,S2} — ► {s'i,s' 2 ,s' 3 } such that /(sq) = f(s\) = s[ and /(S2) = s' 2 , we have 
(2s' t © s' 2 © S3 i f) = 2so © 2si © S2- In the following we will mainly work with injective 
functions, for which the projection operation satisfies some expected properties, such as 
f®((uif))<u and (P((uif))if) = (uif). 

We consider nets where transitions are labelled over a fixed set of labels A. 

Definition 1.2 (P/T Petri net). A P/T Petri net is a tuple N = (S,T,a,r,X) where S is 
the set of places, T is the set of transitions (with 5nT = 0), a, t : T —> S® are functions 



1 



P. BALDAN, A. CORRADINI, H. EHRIG, R. HECKEL, AND B. KONIG 




Figure 1: Two open nets and an open net morphism. 

mapping each transition to its pre- and post-set and A : T — > A is a labelling function for 
transitions. 

In the sequel we will denote by *(•) and (•)* the monoidal extensions of the functions 
a and r to functions from T® to S®. Moreover, given s G S, the pre- and post-set of s are 
defined by *s = {t G T : s G f} and s* = {t G T : s G *t}. 

Definition 1.3 (Petri net category). Let iVo and N\ be Petri nets. A Petri net morphism 
f : Nq — > N\ is a pair of total functions / = (fx, fs) with fx ■ Tq — > T\ and fs ■ So — > Si, 
such that for all to G T , '/r(*o) = /f ( %), /r(to)" = /f (*(>') and Ai(/ T (t )) = A (t Q ). 
The category of P/T Petri nets and Petri net morphisms is denoted by Net. 

It is worth recalling that category Net is a subcategory of the category Petri of [24J, 
which has the same objects, but more general morphisms which can map a place to a 
multiset of places. 

We next introduce the notion of open net. As anticipated above, differently from OS], 
we work here with marked nets. 

Definition 1.4 (open net). An open net is a pair Z = (Nz, Oz), consisting of a P/T Petri 
net Nz = (Sz,Tz,o~z,t~z, \z) and a pair Oz = (0^,0^) € 2 Sz x 2 Sz , the sets of input 
open, respectively, output open places of the net. A marked open net is a pair (Z, u) where 
Z is an open net and u G S® is the initial marking. 

Hereafter, unless stated otherwise, all open nets will be assumed implicitly to be marked. 
An open net will be denoted simply by Z and the corresponding initial marking by u. 
Subscripts carry over to the net components. The graphical representation for open nets is 
similar to that for standard nets. In addition, the fact that a place is input or output open 
is represented by an ingoing or outgoing dangling arc, respectively. For instance, in net Z\ 
of Fig. CO place s is both input and output open, while s' is only output open. 

The notion of enabledness for transitions is the usual one, but besides the changes 
produced by the firing of the transitions of the net, we consider also the interaction with 
the environment which is modelled by events, denoted by + s or — s , which produce or 
consume a token in an open place s. Such events corresponds to the pseudo-transitions 
of [43] and to the transition in the universal context of |29j . 

Definition 1.5 (set of extended events). Let Z be an open net. The set of extended events 
of Z, denoted by Tz and ranged over by e is defined as 

f z = T z U {+, : s G 0+} U {— s : s G O z }. 
Defining *+ s = and + s * = s, and symmetrically, *— s = s and — s * = 0, the notion of 
pre- and post-set extends to multisets of extended events. 
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Given a marking u G 0\ , we denote by + u the multiset © s6C ,+ u(s) ■ + s . Similarly, 
~u = (& se0 - u ( s ) ■ ~s for u G Oz®. 

Definition 1.6 (firings and steps). Let Z be an open net. A step in Z consists of the 
execution of a multiset of (extended) events A G T®, i.e., 

u9 9 A [A) u(BA 9 . 
A step is called a firing when A consists of a single event, i.e., A = e G Tz- 

A firing can be (i) the execution of a transition u © *t [i) u © £*, with u G S 1 ®, t G T^; 
(ii) the creation of a token by the environment u [+ s ) u® s, with u G 5®, s G Oj; (iii) the 
deletion of a token by the environment u © s [— s ) u, with u G 5®, s G O^. A step is the 
execution of a multiset of transitions and interactions with the environment, of the kind 
A © — w © +„ for A G T®, w G O z ® and u G 0+®. 

We now introduce suitable morphisms relating open nets, which are morphisms between 
the underlying P/T nets, satisfying certain conditions on the open places and on the initial 
marking. In particular, given an injective morphism / : Z\ — > Z2, we can think of Nz 1 as a 
subnet of Nz 2 - In this case, we require that a place of Z\ is input/output open in Z2 only if 
it is so in Z\, and that a transition in Tz 2 — Tz 1 can put /remove a token on/from a place of 
Z\ only if that place is input /output open in Z\. Furthermore, any place of Z\ must have 
the same number of tokens of its image in Z<i. This is formalized by the following definition, 
which introduces general morphisms, possibly non-injective. 

Definition 1.7 (open net category). An open net morphism f : Z\ — ► Z<i is a Petri net 
morphism / : Nz 1 — * Nz 2 such that, if we define in(/) = {s G Sz 1 : 9 fs(s) — fr( 9 s) ^ 0} 
and out(/) = {s G S Zx : fs(s) 9 - f T (s 9 ) / 0}, then 

(1) (i) fg \0 + Z2 ) U in(/) C 0+ and (ii) f s \O z , z ) U out(/) C O". 

(2) ui = (v,2 1 fs) (reflection of initial marking). 

The morphism / is called an open net embedding if both fx and fs are injective. We will 
denote by ONet the category of open nets and open net morphisms. 

Conceptually, condition 1 formalizes the intuition that each open net can interact with 
the environment only through open places. In fact, given an embedding / : Z\ — > Zi-, if s is 
a place of Z\ which is open in Z2, then an interaction of the environment with Z2 through 
s would also affect Z\\ therefore s must be open in Z\ as well. That is, input/output open 
places must be reflected by the embedding, as stated by the first part of conditions l.(i) and 
1. (ii) . Furthermore, if a transition in Tz 2 — Tz ± can put a token in a place s of Z\, this is 
seen from Z\ as an interaction with the environment, and therefore s must be (input) open 
in Z\\ this is formalized by the second part of conditions l.(i) and 1 . (ii) - Finally, condition 2 
requires the marking of Z\ to be the projection of the marking of Z2: any place s\ G Sz x 
must carry the same number of tokens as its image f{s\) G Sz 2 , i.e., ui(si) = ^(/(si)) fo r 
any si G S Zl - 

Consider, for instance, morphism f\ : Zq — > Z\ in Fig. [TJ the mapping of places and 
transitions is suggested by the shape and labelling of the nets. Note that in Z\ a "new" 
olabelled transition is attached to the places s and s'. This is legal since the corresponding 
places in Zq are output open and input open, respectively. Note also that the number of 
tokens in places in Zq and in their image through f\ is the same. Instead, the number of 
tokens in the place s" in Z\ is not constrained since it is not in the image of f\\ the place 
is marked, but f\ would have been a legal morphism also if s" were not marked. 
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It is worth observing that most of the constructions in the paper will be defined for 
open net embeddings, hence readers can limit their attention to embeddings if this helps 
the intuition. Still, on the formal side, working in a larger host category with more general 
morphisms is essential to obtain a characterisation of the composition operation in terms 
of pushouts. Specifically, non-injective open net morphisms are needed as mediating mor- 
phisms (recall, for example, that the category of sets with injective functions does not have 
all pushouts). 

Observe that the constraints characterising open nets morphisms have an intuitive 
graphical interpretation: 

• The connections of transitions to their pre-set and post-set have to be preserved. New 
connections cannot be added. 

• In the larger net, a new arc may be attached to a place only if the corresponding place 
of the subnet has a dangling arc in the same direction. Dangling arcs may be removed, 
but cannot be added in the larger net. 

• The number of tokens in each place in the source net must be preserved in the target. 
Instead, there are no restrictions on the marking of places of the target net which are not 
in the image of the source net. 

In the sequel, given an open net morphism / = (fg, /t) : Z\ — > to lighten the 
notation we will omit the subscripts "S"' and "T" in its place and transition components, 
writing f(s) for fs(s) and f(t) for /t(0- Moreover we will write /® : T® — > T® to denote 
the monoidal function defined on the generators by = f(t) for t 6 Tz 1 and, for 

x G {+, — }, f®(x g ) = Zf( s ), if f(s) € O x z and f®{x a ) undefined, otherwise. Note that /® 
can be partial since open places can be mapped to closed places. 

The next proposition explicitly shows that category ONet, as introduced in Defini- 
tion [1771 is well defined. To prove this fact we will use the well-definedness of the category 
of unmarked open nets, introduced in [JJ. This category, denoted here by ONet", has 
(unmarked) open nets as objects and mappings satisfying only condition 1 in Definition 11.71 
as morphisms. These will be referred to as unmarked open net morphisms. 

Proposition 1.8. Open net morphisms are closed under composition. 

Proof. Let /i : Z% — » Zi and ji : Zi — > Z3 be open net morphisms. Then f\ and fi are 
unmarked open net morphisms and thus, since ONet" is a well-defined category, also /2°/i 
is an unmarked open net morphism. In order to prove that j% o j\ is a well defined open net 
morphism it remains to show that it satisfies also condition 2 in Definition 11.71 i- e -> that it 
reflects the initial marking. But this fact follows easily from the definition. In fact, for any 
si € S Zl , 

fi 3 (/2(/l(«l))) = 

= ^2(/i(si)) [since /2 is an open net morphism] 

= u\(si) [since f% is an open net morphism] □ 

Unlike most of the morphisms considered over Petri nets in the literature, open net mor- 



phisms are not simulations. As an example, consider the open net embedding in Fig. 2(a) 
While the transition labelled c in the net Z\ can fire infinitely many times, its image in the 
second net Z2 can fire only once. 

Instead, since open net embeddings are designed to capture the idea of inserting a net 
into a larger one, they are expected to reflect the behaviour, in the sense that given an 
embedding / : Zq — > Z\, the behaviour of Z\ can be projected along / to the behaviour 
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Figure 2: (a) Open net morphisms are not simulations and (b) an example of non-injective 
open net morphism. 



of Zq. The target net of a morphism is in general more "instantiated" and thus more 
constrained than the source net (e.g., a place which is open in the source net can be closed 
in the target). We will come back to this fact in the conclusions. 

Although the paper will mainly use open net embeddings, a remark about non-injective 
morphisms is in order. Consider the open net morphism /a in Fig. |2(b)[ where f2(t') = 
/2(0 = ^ an d f2(s') = f2(s") = s. As, intuitively, the two transitions of Z\ become the 
same transition in Z2, in this case by reflection of behaviour we mean that the firing of t in 
Z2 must be reflected to the parallel firing of t' and if' in Z\. Note that this is the case, e.g., 
for the initial markings: s enables t and its projection (s j/2) = s' © s" enables t' © t" . 

In the rest of this section we formalize the intuition that an open net embedding / : 
Z — » Z' reflects the behaviour by showing that each step of Z' can be projected along / 
to a step of Z. It could be shown that the behaviour of an open net is reflected along 
non-injective morphisms as well, but this would require some technical complications which 
we prefer to avoid, as it will not be used in the rest of the paper. 

We start by defining the projection of multisets of extended events along open net 
embeddings. 

Definition 1.9 (projecting extended events). Given an open net embedding / : Z — > Z* ', 
the projection of extended events along /, denoted (-JJ-/) : Tz> — * Tj 5 , is defined as follows. 
For each e' € Tz', 

• if e' = t' € Tz' is a transition, then 

, ft if teT z and f(t) = t' 

l-e*j/)©+(fj/) if*'£/C^) 

• if e' = x s i, with x G {+, — }, then (x s /ij-f) = ^( s 'm- 

The monoidal extension of (_ JJ- /) to multisets of extended events will be denoted by the 
same symbol (_^/) : T® -» T® . 

In words, if we think of the embedding / : Z — > Z 1 as an inclusion, then given a 
transition t', the projection (t' ij. f) is the transition itself if t' is in Z. Otherwise, if t' is 
not in Z but it consumes or produces tokens in places of Z, the projection of if contains 
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the corresponding extended events, expressing the interactions over open places. Similarly, 
the projection of an extended event + s / is the event itself if s' is in Z, and it is the empty 
multiset otherwise: in fact, in this case {s' if) = 0. 

It is easily checked that the projection operation is well-defined, in the sense that, e.g., 
if + s G (eij-f) then s G 0\. In fact, if + s G {t'tyf) then s G in(/), while if + s G 
then s' G O^, and f(s) = s f . In both cases s G 0% by condition l.(i) of Definition 11.71 

The projections of multisets of places and extended events enjoy nice properties which 
are summarized by the next lemma. 

Lemma 1.10 (properties of projection). Let f : Z — > Z' be an open net embedding. Then 

(1) for U\,U2 G S®, we have 

((«i u 2 ) !/) = («! I/) ©M/) and (0|/) = 

and for u G S® 

{f®(u)if) = u 

(2) for xi,X2 G T®, we have 

((x 1 ®x 2 nf) = Mf)®Mf) and (0^/) = 
and for x G T®, if /®(x) is defined we have 

(f (B (x)^f) = x 

(3) given A' G T®, 

('A'if)= *(A%f) and (A"if) = (A'iif)' 

(4) for u G <S®, we have 

/®((«i/))<« 

Proof. Proofs are routine. We prove explicitly only the third point. Since *(•) and (•)* are 
monoidal functions it is sufficient to prove the result only on the generators. We concentrate 
on *(•), since the proof for (•)* is completely analogous. 
We distinguish various cases: 

• A' = t' G T z , 

If there exists t G Tz such that fit) = t' , then (t' ij. f) = t. Since / is an open net 
morphism /®( *t) = *t' and thus, as desired 
•(W)= H =(/©(•*)!/) = {H'if) 
where the second equality is justified by point (1). 

If, instead, t' G" f(Tz) we have that (t' ij-f) = —r * t i^\ Hence, in this case the 

result is obvious since 

•(nf)= •(- { .,, J/) ©+ (t ,. l/) ) = ct'if) 

• A' = + s , or A' = - s , 

Suppose, e.g., that A' = — s >. In this case (A'JJ./) = — r s 'j/) an d the result trivially holds. 

□ 
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We are now ready to present the main result of this section. 

Lemma 1.11 (reflection of behaviour). Let f : Z — > Z' be an open net embedding. For 
every step u' [A') v' in Z' there is a step {v! if) [(A' i\.f)) (v' if) in Z, called the projection 
of u' [A') v' along /. 

Proof. Let / : Z — > Z' be an open net embedding and assume that u' [A') v' is a step in 
Z' . Therefore 

u' = u " © 'A' and v' = u" © A' 

Now, we have 

(u'if) = 

= KI/)©(M'|/) [by Lemma 03(1)] 
= («" I/) © '(A'tyf) [by Lemma [TTDJ (3)] 
and similarly 

(v'if) = (u"if)®(A%fr 

Therefore, as desired, there is the step 

(«'!/) = («"l/)e '(A'Hf) [(A%f)) (u"lf)®(A%f)' = (v'lf). 

□ 

Observe that there is an obvious forgetful functor 3~ : ONet — > Net, defined by 3{Z) = 
Nz and 5F(/ : Zq — > Z\) = / : Nz — > Nz x - Since functor S' acts on arrows as the identity, 
with abuse of notation, given an open net morphism / : Zq — > Z\ we will often write 
/ : $(Zi) -» J(Z 2 ) instead of 9(f) : 3{Z X ) -» ?(Z 2 ). 



2. Composing Open Nets 

We introduce next a basic mechanism for composing open nets which is characterised 
as a pushout construction in category ONet. A pushout is a canonical way of describing a 
gluing construction. The case of unmarked nets was already discussed in pQ. Here we extend 
the theory to deal with marked open nets. This will allow later to define reconfigurations 
of open nets, where the applicability of a reconfiguration rule can depend on the marking. 
Intuitively, two open nets Z\ and Z2 are composed by specifying a common subnet Zq, and 
then by joining the two nets along Zq. 

Let us start with a technical definition which will be useful below. 

Proposition 2.1 (composition of multisets). Consider a pushout diagram in the category 
of sets as below, where all morphisms are injective. 
Given u\ E Sf and 112 £ S® such that {u\ | /1) = (u2 | 
/2) = ^0; there is a (unique) multiset u% € S® such that 
( u 3 I cti) = u i, f or i £ {1)2}. Such a multiset U3 will 
be denoted by U3 = U\ l+l uo U2 or simply by u\ ttl U2 when 
making uq explicit is not needed. 

Additionally, if U3 = u\ l±l Uo n 2 and u' 3 = u[ l±l u / u' 2 , then U3 © u 3 = (u± © u[) ^(u ®u' ) 

(U2®U' 2 ). 




Proof. Define U3 G 5® as follows: for each s 6 S3, 

iti(si) if 3s\ € Si such that «i(si) = s 

^2(^2) if 3s 2 € S2 such that a 2 (s 2 ) = s 



U3(s) 
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Let us start checking that 113 is well-defined. In fact, firstly, the definition assigns a coefficient 
to every s 6 S3 because a\ and a<i are jointly surjective. Secondly, if there are si € Si 
and S2 € S2 such that = 02(^2), since the square is a pushout and all functions 

are injective we have = {sq} and /2 _1 ( s 2) = {so} for some sq G So: thus, since 

("1 I fa) = (u2 i fa) by hypothesis, we obtain %(si) = ui(/i(s )) = («i I /i)(«o) = («2 I 
fa)(s ) = u 2 (fa(s )) = u 2 (s2)- 

Now, in order to prove (for i € {1,2}) that (113 [ ctj) = Uj, notice that, since a« is 
injective, this amounts to show that for any s € Sj we have itj(s) = M3(aj(s)), which is 
immediate by the definition of U3. 

Concerning the second part of the statement, let M3 = u\ l±) uo U2 and u 3 = u' x tt) M ^ u 2 . 
Then just observe that by Lemma ll.lOl (l). we have for i £ {1, 2} 

((«3 © W3) = («3 I «i) © (« 3 I Oj) = «i © K 

hence the result U3 © u 3 = (ui u'x) ^( Uo ®u' ) ( n 2 © 1*2) follows by the defining property of 
the composition of markings. □ 

Intuitively, the multiset u\ l+) uo U2 can be seen as the "least upper bound" of the images 
of the two multisets in S®. 

As in O [3], two embeddings /i'.Zq—* Z\ and fa : Zq — > Z2 are called composable if 
the places which are used as interface by fa, i.e., the places in(/i) and out(fa), are mapped 
by /2 to input and output open places of Z2, respectively, and also the symmetric condition 
holds. 

Definition 2.2 (composability of embeddings). Let fa ■ Zq — ► Z\, fa '■ Zq — > Z2 be 
embeddings in ONet (see Fig. [3|).We say that fx and fa are composable if 

(1) / 2 (in(/i)) C 0+ and fa(out(fa)) C O" ; 

(2) /i(in(/ 2 )) C 0+ and / x (out(/ 2 )) C O^. 

Composability is necessary and sufficient to ensure that the pushout of fx and fa can 
be computed in Net and then lifted to ONet. 

Proposition 2.3 (pushouts in ONet). Let fa : — > Zi, fa '■ Zq —> Z2 be embeddings in 
ONet (see Fig. [3|). Compute the pushout of the corresponding diagram in category Net 
obtaining net Nz 3 and morphisms ax and o^Jj and then take as open places, for x £ {+, — }, 

0% = {s 3 G S Z& : a^(s 3 ) C Of, A a^fo) C OfJ 

and as initial marking 113 = ux^u Q U2, defined according to Proposition ^. 1\ Then (ax, Z3, 02) 
is the pushout in ONet of fx and fa if and only if fa and fa are composable. In this case 
we write Z3 = Zx +/i,/ 2 Z2. 

Proof. We know by [I] (Proposition 6) that the above result holds for unmarked nets, i.e., in 
the category ONet". Here we must additionally show that (i) the at are marked morphisms 
and that (ii) if we take any other net Z' 3 , with a\ : Z\ — > Z' 3 making the diagram commute, 
then the mediating morphism 7 : Z 3 — > Z 3 (which exists uniquely as an unmarked net 
morphism by the result in [1]) respects the condition on the marking. 

Now, (i) is immediate since Proposition 12.11 tells us that (113 j ctj) = Uj for i € {1,2}. 
Property (ii) can be proved along the same lines. □ 

^The pushout in Net is computed componentwise on places and transitions, by denning the pre- and 
post-set functions, for any U G T Zi , i € {1, 2}, as az 3 {oci{ti)) = on^iaz^i)) and Tz 3 (ou(ti)) = Qi ffi (r Zi (U)). 
It is routine to show that this definition is well given. 
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Figure 3: Pushout in ONet. 




Figure 4: An example of a pushout in ONet. 

As an example, the open net embeddings f\ and fi in Fig. 0]are composable. In fact, 
in(/i) = {s'}, out(/i) = {s} and in(/2) = {s}, out(/2) = {s'}, and thus it is easy to see that 
the conditions of Definition 12.21 are satisfied. The net Z3 is the resulting pushout object. 

3. Composing Steps 

In this section we analyse the behaviour of an open net Z3 arising as the composition 
of two nets Z\ and Z2 along an interface Zq. More specifically, we show that steps of the 
component nets Z\ and Z2 can be "composed" to give a step of Z3 when they agree on the 
interface and satisfy suitable compatibility conditions. 

For instance, concerning the example pushout in Fig. [H note that net Z\ can fire the 
transition labelled a and the lower transition labelled c. If this is "mimicked" in Z2 by firing 
a and putting a token into the lower place s' (via an interaction + s / with the environment), 
then such steps are compatible in a sense made precise below and can be combined into a 
step of the composed net Z3. 

We start with a technical lemma which will be pivotal in the paper. Assume that the 
first component makes a step and the second component imitates this step, acting only on 
the places of the common interface, without firing any internal transition. Then the two 
local steps can be combined to a step of the composed net. 
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Lemma 3.1. Let Z3 = Z\ +/ 1 ,/ 2 ^2 be the pushout of two composable embeddings f\ : Zq — > 
Z\ and f2 : Zq — > Z2 in ONet (see Fig. [3p. Let u\ \A\) v\ and 112 [A2) V2 be steps in Z\ 
and Z2, respectively, such that (wii/i) = (U2I/2) and A2 = /®((^4i JJ-/1)). 
Then (v\ifi) = (U2J./2) and, if we define A3 = af(A{), 

Ui y u 2 [A 3 ) Vl U V%. 

Proof. Let us start showing that A3 = af(Ai) is defined, i.e., that for x G {+, — } if x s G A\ 
then ai(s) G Of 3 - In fact x s G A\ implies that s G Zi ; now either s fi(Sz ) and then 
ai(s) G Of 3 by Proposition 12.31 Otherwise, since f\ is an embedding, there is exactly one 
place in Sz which is mapped to s. With a little abuse of notation let such place be denoted 
Then clearly /{" (s) G O z because f\ is amorphism, and /2(/i _1 (s)) G 0§ 2 because 
/®((^4i -IJ-/1)) = ^2 is defined by hypothesis; thus again a\{s) G Zi by Proposition 12.31 
Next observe that, since A2 = /®((^4i JJ-/i)) is defined, by Lemma fl. 101 (2). 

(i 2 |/ 2 ) = (AiWi). 

Let = for i G {1,2}, be the common projection. As a consequence, we have 

•(A 2 J|/ 2 ) = 'Uli/l) and thus, b y Lemma[TT0j(3) 

(Mii/i) = (M 2 |/ 2 ) 
so that we can consider the composition of markings ' A\ l±l *a 'A2. We claim that 

M 3 = M x W . Ao M 2 (3.1) 
and symmetrically, since (^4-i*J,/i) = (-A2*l/2)> that 

A 3 ' = Ai m W Ao . A 2 m 

Let us concentrate on *(•), as the other case is analogous. To prove (|3. 1 1) . by Proposi- 
tion 12.11 we can show that ( 'A3 [a\) = °A\ and ( '^jo^) = * A?,- In fact we have 

( Maiai) = 

= "(As^ai) [by Lemma[Tini(3)] 

= •(af(Ai)^ai) [by definition of A3] 
= Mi [by Lemma 001(2)] 

and 

( M 3 ja 2 ) = 

= •(A 3 ^a 2 ) [by Lemma OB (3)] 

= , (af(A 1 )^a 2 ) [by definition of A 3 ] 
Thus to conclude we must show that '(af (A\) JJ-c^) = 'A2, and this is proved by showing 

(af(A 1 )^a 2 ) = / 2 ®(0Wi))[= A 2 ] (3.2) 

Since (_JJ-_) is monoidal in the first argument by Lemma fl, 101 (1). it is sufficient to show ()3.2[) 
on generators: 

• A x = tt 

We distinguish two subcases. If (tiJ|/i) = t G T^ then A 2 = ./^o) = (^1(^1) JJ-«2)> a s 
desired, by construction of the pushout. 

If, instead, (ti^/i) = - ( then 

^ 2 = ~/ 2 ffl (( ® + / 2 ffi ((<i*i/i)) 

On the other hand, we have 
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(«i (A 1 )tya 2 ) = (ai(ti)^a 2 ) = -( • ai (t 1 )l« 2 ) © +(ai(ti)«Jaa) 
Now, by exploiting the fact that Z3 is a pushout, it is easy to see that /®(( *ii J./1)) = 
( *ai(ti) I CK2) and similarly /®((£i* I /1)) = (ai(ii)* I 02)- Hence we conclude that 
^2 = («® (^4i) ^^2), as desired. 

• Ax = + S1 or Ai = - S1 

Assume, for instance, that Ax = + S1 (the other case is completely analogous). Therefore 

^=/2 e ((^a/l)) = + / e ( ( Sli/l )) 
On the other hand 

(af(A 1 )^a 2 ) = (+ ai ( Sl )^a 2 ) = +( Ql ( sl )ja 2 ) 
and, again, by the fact that Z3 is a pushout, we deduce easily that I fi)) = 

(ai(si) [a 2 ), hence the desired equality. 
This concludes the proof of (|3,2p . from which (|3.ip follows. 

Now, by exploiting (|3,ip we can easily conclude. In fact, the steps in Z\ and Z 2 are of 
the kind 

Ui = u[ © Mi [At) v! i © = Vi 

for i € {1,2}. First observe that, since (ui|/i) = (U2J./2) and ( * A%1 fx) = ( M2I/2), we 
immediately get: 

(«U/i) = KI/2) 

Let Uq = (u^ I fi), for i € {1,2}, be the common projection. Since V{ = u[ © Aj*, for 
i € {1,2}, by the fact that (Ax* I fx) = (^2*1/2), we deduce that, as desired 

M/i) = M/ 2 ) 

Hence, if vq = (vilfi) is the common projection, we can define t>3 = v\ l±)^ v 2 - 
Now, if we set u' 3 = u[ tt)^^ u' 2 we have 

U3 = ux W Uo u 2 = 

= (u[ © Mi) W u() e . Ao (u' 2 © M 2 ) = 

= (u[ tt) u ^ u' 2 ) © ( Mi tt) Mo '^2) = [by Proposition EJ] 
= u' 3 © M 3 [by HSU] 

Therefore we have the step 
u 3 [A3) u' 3 ®A 3 '. 

By a sequence of passages analogous to those used above, we can show that u' 3 © ^3* = v 3 
and thus, as desired, 113 [A3) V3. 

The fact that such step projects to U{ [Ai) Vi for i £ {1,2} immediately follows by 
construction. □ 

We are now able to show how steps of the component nets can be "joined" to a step of 
their composition, provided that the steps satisfy a suitable compatibility condition, that 
we are going to introduce. Roughly, we must be able to split each of the two steps Ax, A 2 
into an internal part A\ and an external part Af , with the intuition that the external part 
can include only firings of transitions in the interface and interactions with the environment 
induced by the internal part of the other step. 

Put more precisely, from the point of view of Zx the events can be of four different kinds: 
(1) transitions that are local to Zx (2) transitions that occur also in Zq (3) interactions with 
Z 2 (of the form + s , — s ) (4) interactions with the environment of both nets (also of the form 
+ s , — s ). Now if one splits the set Ax into A\ and Af, it is necessary to put all events of 
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type (1) into A[ and all events of type (3) into Af. For the remaining two types we have 
a choice, but whenever we put an event of Z\ into Af, we have to put the corresponding 
event in Z 2 into A\ (and vice versa). 

For reasons of simplicity we have chosen to work with a split into only two sets instead 
of four, even if this split is non-unique. 

Definition 3.2 (compatible steps). Let Z% = Z\ +/ 1 ,/ 2 ^2 be a pushout in ONet. We say 
that two steps U{ [Ai) Vi (i £ {1,2}) are compatible if {u\ [ f\) = (-u 2 j /a) and we can 
decompose the steps as Ai = A\ © Af (i € {1, 2}) such that 

Af = f®((A{^h)) and Af = /f((A^/ 2 )) 

It is immediate to see that if A\ and A2 are compatible, then (A1JJ-/1) = (A^/^). 

For instance, let us consider again the pushout in Fig. |H Two compatible steps can 
be Ai = to t' x and A2 = to © +s'- The compatibility is witnessed by the decomposition 
A[ = A±, Af = and A\ = 0, Af = A2. As mentioned above such decompositions are 
not uniquely determined: alternative ones are given by A{ = t[, Af = to and A\ = to, 
Af = + s >. Note that since transition to also belongs to the interface, it can be considered 
either internal to Z\ or internal to Z2 , while t[ has to be considered internal to Z\ , and the 
interaction + s / on the open place s' has to be considered external to Z 2 . 

Another simple example of compatible steps is given by Ai = — s and A 2 = — s . In this 
case, we have the choice to consider the only event — s internal to Z\ and external to Z2 or 
vice versa. 

Lemma 3.3 (composing steps). Let f\ : Zq — > Z\ and / 2 '■ Zq — > Z2 be composable embed- 
dings in ONet and let Z% = Z\ +/ 1 ,/ 2 Let u\ [Ai) v\ and U2 [A2) V2 be compatible steps 
and let Ai = A\ ®Af, for i € {1, 2}, be a corresponding decomposition (see Definition \3.S\ ). 
Then there exists a unique step u% [A3) v%, with A3 = af(A[) © af(Ai), which is projected 
to Ui [Ai) Vi along ai for i £ {1, 2}. 

Vice versa, any step u% [A3) V3 projects over two compatible steps u\ [(A3 JJ-ai)) v\ of 
Z\ and U2 [(^JJ-c^)) ^2 of Z2, whose composition gives back the original step. 

Proof. Concerning the first part, by definition of compatibility, we know that A± and A2 
can be decomposed as Ai = A\ © Af (i € {1,2}) such that 

Af = / 2 ®((A{^/ x )) and Af = /f((A^/ 2 )). 

Moreover, = (u 2 |/ 2 ). 

Now, since Ui [A\ © Af) Vi, we can find markings u\ , uf , v\, vf such that 
u[[A[)v[ ' uf[Af)vf, (u[[h) = (uf[f2) 
uf [Af) vf, 4 [A' 2 ) vi, (ufih) = (uiif 2 ) 

In fact, just observe that, since Ui [Ai) Vi, the marking Ui must be of the kind Wi® * A\ © * Af 
and similarly Vi = Wi © A\* © Af*. Thus we could choose 

11 1 — • A 1 1, 1 — A 1 * n E — • A E u E — A E * 

u i — A li u i — ^1 ; u 2 ~ ^2 > u 2 ~ A 2 > 

and dually 

uf = Mfffi^i, vf = Af*®w x ui= *Ai®w 2 , vi = Ai'®w 2 
Therefore, we can use Lemma 13. II and, defining u 3 = u[ l+J uf, u 3 = uf l+l ui, v' 3 = v f tt) vi, 
v 3 = vf & vf , we conclude 

u> 3 [af(A{))v' 3& ndu' 3 ' [a®{A{)) v' 3 > 
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Therefore 

u' 3 © u'i [af(A[) © a® {Al)) v' 3 © v'> 

By exploiting Proposition ^. 1\ we easily see that u' 3 (Bu 3 = (t^ffinf ^(uf©^) = «iWit 2 , 
where no denotes the common projection of u\ and k 2 over Zq. Similarly, v 3 © v 3 = v\ l+l i; 2 
and thus 

ui W u 2 [af © of (Af )) v x i+J w 2 
is the desired step. The fact that it projects over the steps we started from in Z\ and Z 2 
follows by construction. 

For the second part, consider any step 113 [A 3 ) V3. Let A\ = (^3^0:1) and A2 = (A3JJ. 
a 2 ). Decompose A 3 as 

A 3 = Al © A 2 3 © Al © Af en 

where A3, for j G {1,2} includes only transitions in ai{Tz t — fi(Tz )), A 3 includes only 
transitions in ai(fi(Tz Q )) and finally A 3 pen includes only interactions with the environment. 
Then, if we define 

A[ = {A\^a 1 ) Af = A 1 QA[ 

Al = ((A 2 3 © A3 © Af en ) \ya 2 ) A^ = A 2 Q A{ 

it is easy to show that the decomposition satisfies the requirements in Definition 13.21 hence 
the two steps are compatible, and their composition is immediately seen to give back the 
original step. □ 

Note that, in the decomposition of steps A\ and A 2 considered in the proof above, all 
firings of transitions in the interface Zq are included in the internal part of A 2 , i.e., no such 
transition is included in A\. The possibility of having a decomposition with these properties 
will be useful later, in the proof of the congruence results. 

4. BISIMILARITY OF OPEN NETS 

In this section we study various notions of bisimilarity for open nets, proving that they 
are congruences with respect to the colimit-based composition operation. The considered 
behavioural equivalences will differ for the choice of the observations, which can be single 
firings or parallel steps. Additionally, we will consider weak forms of such equivalences, 
arising in the presence of unobservable actions. 

4.1. A High Level View on the Congruence Results. 

A first step consists of defining suitable labelled transition systems (ltss) associated with 
an open net. Generally speaking, net transitions carry a label which is observed when they 
fire. Additionally, in the labelled transition systems we also observe what happens at the 
open places. This corresponds to observing the potential interactions with the surrounding 
environment, as open places act as gluing points in the composition operation, and it is 
pivotal for the mentioned congruence results. 

Given an open net Z, the labeled transition systems we shall consider will have all 
markings of the net, S"®, as states, but they will differ concerning the transitions and their 
labels. For example, in the firing lts the transitions are generated by the firings of Z, and 
correspondingly they are labelled over the set 
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A z = A U {+ s : s G 0%} U {— s : s € O z }. 

As discussed in the conclusions, the firing lts resembles the labelled transition system 
arising from the view of Petri nets as reactive systems in |26|, 135] . Analogous LTSs are 
also obtained in [43] with the use of pseudo-transitions and in [29] by inserting a net in a 
universal context. 

Instead, in the step lts the transitions are generated by the steps of Z, and they are 
labeled over A®. The corresponding notion of bisimilarity will capture, to some extent, the 
concurrency properties of the system (see, e.g., [Ml [30]). 

For notational convenience we extend the labelling function Xz to the set of extended 
events Tz, by defining Xz(x) = x for x G Tz — Tz (i.e., for x = + s or x = — s with s € Sz)- 

Definition 4.1 (step and firing Its for an open net). The step LTS associated to an open 
net Z is the pair {S®, —>s,z), where states are markings uz £ S z and the transition relation 
^S,z Q S® x A® x S® includes all transitions 

uz — * s,z uz 

for all markings uz,u' z £ S® and A £ T® such that there is a step uz [A) u' z in Z. The 
firing lts {S®,— >f,0) is defined similarly: the transition relation — >F,z — S® x Az X S 1 ^ 
includes all transitions 

Az(e) , 
>F,Z U Z 

such that there is a firing [e) u' z in Z, with e &Tz- 

As we have done above for the transition relations, in the sequel the subscripts "S" and 
"F" will be used for distinguishing notions based on the step and on the firing behaviour, 
respectively, of a net. 

When observing the behaviour of a system, usually only a subset of events is considered 
visible. Here this is formalised by selecting a subset of labels representing internal firings, 
playing a role similar to r-actions in process calculi, and then considering a corresponding 
notion of weak bisimilarity. Let A T C A be a subset of unobservable labels, fixed for the 
rest of the paper. 

Definition 4.2 (weak transition systems). For x £ {S, F} we write v ^ x ,z v' if v,v' € S® 

£' 

are markings such that v — > x ,z v with £ = (£ J, (A — A T )). Then the weak (step or firing) 
lts is defined by letting 



o o * 

=^x,z v whenever v ^ x z v' . 

£ * I * 

=^x,z v whenever v ^ x _z ~^x,z ^ x .z v ' £ 0. 



Transitions labelled with will be often referred to as r-transitions or silent transitions. 

Weak step and firing bisimilarity is now defined in a standard way, but note that when 
the set of unobservable labels is empty, this actually corresponds to strong bisimilarity. 
Only, in order to be able to relate the extended events of the two nets, we need to specify 
for each open place of one net which is the corresponding open place in the other net; 
therefore bisimulations between two nets are parametrised by a bijection between their 
open places. Given two open nets Z\ and Z2 a correspondence r/ = {r/®,r]~) between Z\ 
and Z2 is a pair of bijections rj® : O z — > Z2 and rj~ : Zi — * 0^ 2 - In order to simplify 
the notation, in the following, given an open place s\ G O z U O z we will write simply 
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Figure 5: Two open nets which are 
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firing bisimilar but not step bisimilar. 



r}(si) to denote its image through the appropriate component of rj, i.e., a correspondence 
V = (v^~ > VT ) wm be identified with the function r/ + U rf : 0% U 0% — > 0^ 2 U 0^ 2 . 

Definition 4.3 ((weak) step and firing bisimilarity). Let Zi, Z2 be open nets and rj : Oz x 
Oz 2 be a correspondence between Z\ and Z2. A (weak) 77-x-bisimulation (with x € {S, F} 
- S for step and F for firing) between Z\ and Z2 is a relation over markings 31 C 5® x S"® 
such that if (111,142) £ 3i then 

• if m ~^ x ,Zi u i i n Zi, then there exists it 2 such that U2 =>x,z 2 u 2 i n ^2 and (1*1,1*2) £ 3?; 

• the symmetric condition holds; 

where i](+ s ) = + r)(s) , r/(- s ) = and 77^) = £ for any f £ A. 

Two open nets Z\ and Z2 are (weakly) n-x-bisimilar, denoted Z\ r£ Z2, if 77 : O^i ^ 
0^ 2 is a correspondence and there exists a (weak) 77-bisimulation 3? over Z\ and Z2 such 
that {u\,u-i) € 3?. We will say that Z\ and Z2 are (weakly) x-bisimilar, written Z\ ~ x Z2, 
if Zi ~* Z2 for some correspondence 77. 

Clearly, step bisimilarity is finer than firing bisimilarity, i.e., if Z\ ~ s Z2 then Z\ ~ F Z2. 

Observe that in the definition of step bisimilarity, whenever v ==>s,z v' and thus 

0*10*1 1 
v z ^>s,z z v 1 one can assume that the step inducing ~>s,z does not include any 

r-transition (since, if this is not the case, the r-transitions can be anticipated or postponed). 

As an example, consider the open nets in Fig. [5j which can be seen as the representation 

of (part of) the booking process in a travel agency. The bookings of the flight (bookFlight) 

and of the hotel (bookHotel) are independent and could be performed in parallel. However, 

this is possible only for agency A (Fig. 5(a) ), while in agency B (Fig. 5(b)[ ), where a single 

person takes care of all bookings, the two actions will be executed sequentially. Now, it is 

easy to check that, assuming that only the actions bookFlight and bookHotel are visible, the 

two nets are firing bisimilar, but they are not step bisimilar. Hence, as already mentioned, 

step bisimilarity discriminates also according to the degree of parallelism that is possible in 

a computation. 
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fx ( Z 0,U ) f 2 fl {Zq,Uq) 

(Zi,ui) (Z 2 ,u 2 ) {Z\,u\) (W 2 ,v 2 ) 

^ (Z 3 , u 3 ) ^ ^ (W 3 , v 3 ) ^ 

(a) (b) 

Figure 6: Pushouts in ONet. 

As already mentioned, weak bisimilarity boils down to the notion of strong bisimilarity 
when all labels are observable, i.e., when A T = 0. For convenience of the reader we make 
explicit the notion of strong bisimilarity. 

Definition 4.4 (strong bisimilarity). When Z\ and Z 2 are weakly r/-x-bisimilar open nets, 
with A T = we say that Z\ and Z 2 are strongly n-x-bisimilar and write Z\ ~* Z 2 or simply 
Z\ ~ x Z 2 . Explicitly, a strong rj-x-bisimulation over Z\ and Z 2 is a relation over their 
markings 31 C Sf x 5® such that if (u\,u 2 ) € "Jl then 

I T\(t) 

• if u\ — ►xZj u'i in Z\, then there exists u 2 such that u 2 — >x,z 2 u 2 m Z% and (u^, u' 2 ) € ft; 

• the symmetric condition holds. 

We can finally state the congruence property for the considered behavioural equivalences 
with respect to the composition operation on open nets. The result will be proved separately 
for the various cases in the next subsection. 

Theorem 4.5 (bisimilarity is a congruence). Let Zq, Z\, Z 2 , W 2 be open nets. Let Z 2 ~* 
W 2 , for some correspondence n and x € {S,F}. Consider the nets Z 3 = Z\ +/ 1 ,/ 2 Z 2 
and W3 = Z\ +f 1 g2 W 2 , as in Fig. where fi , f 2 and g 2 are embeddings, fi and f 2 are 
composable, and f\ and g 2 are composable as well. 

If 52I00 = V (/2I00) fi and g 2 are consistent with r\ on open places) then Z3 

W3, where rj : Oz s <-> Ow 3 is the correspondence defined as follows: for all s £ Oz 3 , 
r]'(s) = Pi(s') if s = axis'), and n'(s) = P 2 (rj(s')) if s = a 2 (s'). 



4.2. Proofs of the Congruence Results. 

In order to prove the congruence results it is convenient to proceed as follows: we first 
consider strong step bisimilarity which can be more easily handled than its weak variant. 
Next the proof of the congruence result for the weak variant can adapted from the strong 
case. Finally, as firing bisimulation can (almost) be considered as a special case of step 
bisimulation, the proof of the corresponding congruence result easily follows from that of 
step bisimilarity. It is worth stressing that the complexity of the proof is mainly due to the 
fact that we consider steps instead of single firings. 

We start with a technical lemma which will play a central role later. It states that 
for given composable embeddings f± : Zq — » Z\ and f 2 : Zq — > Z 2 , any step in Z 2 where 
interactions with the environment only occur on places which are open also in Z\ +z Z 2 , 
can be projected along f 2 to Zq and then simulated in Z\. 

Lemma 4.6. Let f\ : Zq — > Z\ and f 2 : Zq — > Z 2 be composable embeddings in ONet, let 
Z3 = Z\ +/ 1 ,/ 2 Z 2 and let ui € Sz® (i € {1,2}J be markings such that (ui|/i) = (u 2 [f 2 ). 
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Let U2 [A 2 ) V2 be a step such that if x s £ A 2; for x £ {+,— } then 02(3) € Og 3 . Then 
ui [/i®((A 2 ^/ 2 ))) ui and Ul \Su 2 [af(A 2 )) v 1 ttv 2 . 

Proof. Let A 1 = ff{{A 2 JJ- / 2 )). First note that Ai is well-defined, i.e., A 1 G f®. For 
instance, let us show that if + aj € Ai then si is input open, i.e., si € . By definition of 
Ax we deduce that there is + SQ S (A 2 JJ./ 2 ) with /i(so) = s l- Now, by the assumptions on 
A 2 , there are two possibilities: 

• +so e (*2^/ 2 ) witht 2 6T Z2 

By the definition of projection for steps, this implies that / 2 (so) € *i 2 , with t 2 / 2 (Tz ) 
and thus so € in(/ 2 ). Since /1 and / 2 are composable, we have that si = /i(so) € 
A(in(/ 2 )) C O+, as desired. 

• +so G (+,2^/2) with a 2 (s 2 ) G Oj, 

Since the diagram in Fig. [3] commutes, we have that ai(si) = a 2 (s 2 ). Since a 2 (s 2 ) € 
by condition (1) in the definition of open net morphism (Definition ll.7p . s\ € , as 
desired. 
Now observe that 

Mi= •(/ 1 ffi ((A 2 J|/ 2 ))) 

= /®( '(^.2^/2)) [by def. of open net morphism] 

= /?(( M 2 i/ 2 )) [by Lemma[TIDJ(3)] 
Since the step u 2 [A 2 ) u 2 is enabled, we know that *A 2 < u 2 , and thus 
•Ai = /f(( *A 2 J,/ 2 )) 

< A ffi ((n 2 |/ 2 )) 

= /f(Kl/i)) [since («2l/ 2 ) = (uii/x)] 

< ui [by Lemma II .101 (4)] 

Hence, the step U\ \A{) V\ can be performed. Clearly, the two steps in Z\ and Z 2 are 
compatible, and thus we conclude with Lemma 13.31 □ 



4.2.1. Strong Step Bisimilarity. 

Theorem 4.7. Strong step bisimilarity is a congruence. 

Proof. Let Zq, Z%, Z 2 , W2 be open nets, with Z 2 ~^ W2, for some correspondence 77. Let 
Z3 = Zi +/ 1 ,/ 2 Z 2 and W3 = Z\ +/ 1)52 W2, as in Fig. [HI where f\, / 2 and # 2 are embeddings, 
with /1, / 2 and fx, g 2 composable and 3 2 |o Zo = V (/2|o Zo )- 

To simplify the notation, assume, without loss of generality, that all the morphisms in 
the diagrams of Fig. [6] are inclusions and r\ = id. Hence / 2 |o Zo = 92\o Zo ■ 

Now let 31 be a 77-S-bisimulation over Z 2 and W2 such that (u 2 ,{) 2 ) G 3£, which exists 
by hypothesis. Consider the relation 31' over Z3 and W3 defined as 

"X = {(«i tt)„ u 2 , v\ y Vo u 2 ) : (« 2 , u 2 ) G 3? A m 9 u = «i v } 

The condition above on u\ and i>i means that the markings can differ, but only for the num- 
ber of tokens in places of the interface net Zq (notice that the marking of Zq is completely 
determined by the marking of components Z2 and W 2 ). 

We claim that 31' is a ?/-S-bisimulation over Z3 and W3 , where 7/ is again the identity on 
open places. Since, by the construction of the pushout, (U3, #3) = (u\ l+)^ w 2 , u\ # 2 ) € 3i', 
this provides the desired result. 
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In order to prove that 01' is a ?/-S-bisimulation, assume that u 3 — z 3 u ' 3 - Therefore 

u 3 [A 3 )u' 3 with 1 = A® (A 3 ) 

and by Lemma 13.31 we can project the step A 3 over the components Z\ and Z2 thus getting 
for i G {1,2} the following steps in Zf. 

Ui [Ai) u'i (4.1) 

Since by the same lemma such steps are compatible, according to Definition 13.21 we can 
find partitions 

Ai =A\®Af with i G {1,2} 



such that 
and 



Af = ff{{A^h)) Af = (4-2) 



A 3 = af(A{)(Ba®(Al) (4.3) 
Additionally, as shown in the proof of Lemma 13.31 we can assume, w.l.o.g., that Af con- 
sists only of interactions with the environment, i.e., Af G {x s \ x G {+, — }, s G 0^ 2 }®, or, 
equivalently, that A[ does not contain firings of transitions of Zq . 

Now, since (112, V2) G 01, the step (14. ID of Z2 can be simulated by W2, i-e., there is 

v 2 [B 2 ) v' 2 (4.4) 

with \®{B 2 ) = \®{A 2 ) and (u' 2 ,v 2 ) G 01. 

We can now split B2 in an "internal" and an "external" part, according to the splitting 
of A\, i.e., we define 

Bi = Af B{ = B 2 Q Bi (4.5) 

Notice that we can legally define Bf = Af since Af consists only of interactions with 
the environment, which are necessarily also in B2 since A®(i?2) = A® (^2) (and recall that 
places in the interface have the same name in Z2 and W%). 
Now, define 

v{ = 'B\ vi' = B 1 ,' (4.6) 

vf = v 2 9 vi vf = v' 2 Q vi' (4.7) 

and thus we have 

vi [Bl) vi' (4.8) 
vi [B$) v? (4.9) 
Now, the idea is to construct a step in W 3 by using separately the internal part of the 
step in W2 and the internal part of the step in Z\ (which plays the role of a context). 

In order to apply Lemma 14.61 to the step in (|4.8p . we note that if + s G Bi then 
s G 0^y 3 (and the same holds for — s ). In fact, if + s G B\, then by construction of B\ 
and since A®(^) = A®(I?2), we must have + s G Af Now, if s G" Zq then, given that 
s G Og 2 we have that s G 0^ 3 = Oyy 3 - Otherwise, if s G Zq then, by (14. 2D . we have that 
ft ((+4/2)) = +s € Af, thus s G 0+, and hence s G 0+ s = 0+ 3 . 

Therefore if we define: 

v? = f?((vil92)) Bf = f?{{Bl$g 2 )) (4.10) 
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since clearly (vf = (v 2 lg 2 ), we can apply Lemma [4761 to deduce that 



[Bf) 



and 



vf Uv{ [^(B^vfiSvi' (4.11) 
Note that vf < v\. In fact v 2 < v 2 . Therefore (v 2 ig 2 ) < {v 2 [g 2 ) and thus 

Vf = I <?2)) < / a ®((«2ifl2)) <«1 

Let us now construct the other part of the step in W3, arising as the composition of an 
internal step in Z\ and the external part of the step in W 2 - As mentioned before, since the 
component Z\ plays the role of a context (it is the same in both composed nets) we can 
simply define: 

B{ = A{ (4.12) 

If we let 

then we can see that 



v[=v 1 Q vf (4.13) 



v{ [B[) vf (4.14) 

We can show that indeed *B[ < v{, with a long, but easy calculation. In fact, since 
A[ = B[ by flUl 

•Bf = M{ = ( *A{l(S Zl - S Zo )) ( 9 A[iS Zo ) (4.15) 

In the last expression, ( *A\[ (S Zl — S Zo )) and ( 'A\lS Zo ) stands for the projections along 

the inclusions of S Zl — S Zo and S Zo , respectively, into S Zl . Now, let us consider the two 

summands separately. Concerning the first one: 

( 'A[ I (S Zl - S Zo )) < ui G u = [since A[ enabled in u\ by (|4TT]) ] 
= v\ Q vq = [by construction of 

= vi eff{{v 2 1 52)) 

Let us consider the second one: 

(M{l^ )=/f(( 'A[ih)) = 

= /?(( 'Af I/2)) = [since (A^h) = (Af^/ 2 ) by »] 

= /?(( '-Bf 4.52)) < [by dUSD and the fact that g 2 , f 2 agree on Zo ] 

<ff{{vf[g 2 )) [since by (USD *Bf <vf] 

Putting together the two summands, from (|4.15p we have 
'B[<v 1 Qff{{v 2 [g 2 ))®ff((v^ig 2 )) = 

= v\ Q ff {{v 2 Q V2 I g 2 )) = [since v 2 < v 2 and / injective] 

= viQ ff{{v{ig 2 )) = [since v J 2 = v 2 Q vf by <@2J] 

= vi vf = [by (I4TT0D ] 

= [by gl3D] 

In order to apply Lemma 14.61 to the step (|4.14p . we can prove that if + s 6 B[ then 
s G 0^ 3 (and the same for — s ) as in the previous case. Additionally, we have 
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{v[ifi) = ({vi vf)ih) = [by def. of v{ in flH3}] 
= («ii/i)e(t;fi/i) = 

= (v2 1 92) © (vf = [since (v\ [f\) = (v 2 [g 2 ) by h ypoth esis] 

= (U2I0O e K 7 I<72) = [since (vf ih) = ^[92) by 610])] 

= ((«2e^)isa) = 

= («fiS2) [by def. of vf in (02}] 



and moreover 



B$=g 2 ®({B[^h)). 



In fact 

Bf = Af [by gSD] 

= /®((^/i)) = [by®] 
= / 2 ®((B(^/i)) = [by en] 

= 92® ((B{ Jl/i)) = [since 52 and / 2 "agree" on Oz } 
Therefore, by Lemma 14.61 we have that 

vf \B$) vf (4.16) 

and 

vlttvi \j3 x ®(B[))vfwf (4.17) 
Now, by Proposition 12.11 we can join the steps (|4.1ip and (|4.17p and obtain 

(vf a vf) © (v[ a vf) \p x ®(B{) © p 2 ®(Bf)) (vf a vf) © (vf a 4') 

i.e., the desired step which can be used to simulate u% — >S,z 3 ^3- I n feet the label is 
\% 3 ((3 1 ®(B{)®f3 2 ®(B I 2 )) = 

= ^w 3 © *w 3 (^2® (Bf)) [since the diagram in Fig. |6(b)| commutes] 

= A| 1 3 (^)©A® 2 ( J B|) 3 " [since A{ = B[ by {HI} and 

A® 2 (5|) = \%(A{) by construction 63}] 
= A® (.A^) © A® 2 (vl2) [since the diagram in Fig. 6(a) commutes] 

= A® (af(A{))0Af 3 (af(4)) 

= A® (a®(4)©«®(^)) [by O] 

= A®(A 3 ) 

Moreover, using (|4.7p . we have 

(vf tt) u|) © (v[ tfcl t>f) = (vf © ) tt) (v* 2 © uf) = «i y v 2 = w 3 . 
And, if we define 

v[ = vf © vf 

recalling that, by (|4.7f) . v 2 = i> 2 © vf' , we have that the target state of the step is 

v > 3 = v [ a U2 
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Now, (u' 2 , v' 2 ) G by construction. Moreover, the fact that u±Qu'q = v[Qv' immediately 
follows from the fact that this property holds of the starting markings and we executed the 
same internal step in Z\. 

Hence (u' 3 ,v' 3 ) € 3?' as desired. □ 



4.2.2. Weak Step Bisimilarity. 

Theorem 4.8. Weak step bisimilarity is a congruence. 

Proof. In order to show the desired result, we build on the proof of the strong case (Theo- 
rem Let us use the same notation and define the relation 5V in the same way. In order 
to prove that 3?' is an S-weak bisimulation we proceed as follows. 

Let U3 ~$>s,Zz u 3 an d let us focus on the case 4/0 (the case in which £3 = is 
completely analogous). This transition is induced by a step 113 [A3) u'3, which can be 
projected over Z\ and Z2, thus getting, for i € {1,2} 

Ui [Ai) u\ 

Now, since (u2,v 2 ) € 3?, the transition u 2 "~>s,z 2 n 2> induced by u 2 [A 2 ) u' 2 can be simulated 
in W 2 , by v ==>s,w 2 v ■ Let the weak transition in W 2 arise from the sequence of steps 
v 2 = v° 2 [B\) v\... v h 2 \B\) v h 2 +l ...v\ \B\) v k 2 +l = v' 2 

where A^ (B 2 ) = for i ^ h and (B 2 ) = t (and as remarked after Definition 14.31 we 
can assume that no transition in B 2 has an unobservable label). 

Now, any r-step v\ [B 2 ) v l 2 +1 (i < h) consists only of firings of transitions of W 2 . Hence, 
as in the strong case, by using Lemma 14.61 we can conclude that there is a "corresponding" 
step v\ [B\) , consisting only of interactions with the environment, and their composition 
is a r-step in W 3 of the kind v\ [o%(B\)) v* 3 +1 , with Af^Bj) = 0. 

Note that since v\ [B\) v 1 ^ 1 consists only of interactions with the environment, u\Quq = 
v[ +1 Q vl +l iovi<h. 

For the "visible" step v 2 [B 2 ] v 2 +1 , we can apply the same argument as in the strong 
case, to get steps v\ \B\) v^ +1 and v% [B%) v 3 +1 , with X^ 3 (B^) = I. Additionally, u^Qu'q = 

Repeating the same argument for the remaining r-steps, v 2 [B 2 ) v 2 +l (i > h), i.e., using 
again Lemma 14.61 we can prove that there are steps v\ [B\) , consisting only of inter- 
actions with the environment, correspondingly r-steps in W3 of the kind v\ [a 2 (B 2 )) v 3 +1 , 
with A® (B[) = 0, for i > h. Such sequence of further r-steps in W3 leads to a marking 
v ' 3 = v \ +1 i+j v ^+ 1 ) where v\ +l Q v^ +1 = u[ G u' and v 2 +1 = v' 2 with (u' 2 ,v' 2 ) G 31. Hence 
(u' 3 ,v' 3 )eX'. 

In other words V3 =^s,VF 3 v 3 an d (tt 3 ,u 3 ) € 01', as desired. □ 
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4.2.3. Weak (and Strong) Firing Bisimilarity. 

Theorem 4.9. Strong and weak firing bisimilarity are congruences. 

Proof. The proof remains essentially the same as for step bisimulation (Theorem 14.71 and 
Theorem 14. 8p . Only some minor adaptations are required. 

Let us focus on weak bisimulation, which is the more general case. We use the same 
notation as in Theorem 14.81 and define "X in the same way. In order to prove that "X is an 
S-weak bisimulation we proceed as follows. 

Let (ii3, V3) £ 3£' and let U3 ^f,z 3 u' 3 . Then there must be a step 

U3 ta) u' 3 

such that €3 G Tz 3 and Xz 3 (^3) = (■ We can project the step over Z 2 , thus getting 

u 2 \A 2 ) v! 2 (4.18) 

The delicate case is the one in which £3 = t% 6 Tz 3 — a 2 (Tz 2 ). In fact, in this case, A 2 is in 
general a proper multiset (of interactions with the environment) and thus we cannot argue, 

as in the case of step bisimulation, that the transition u 2 — > f,z 2 u i must be simulated 
by W 2 , since only single firings are simulated. 

In order to proceed, we have first to linearise the step in (|4.18p as 

U 2 >F,Z 2 ■ ■ • >F,Z 2 ► F,Z 2 • • • > F,Z 2 U 2 (4.19) 

Interestingly, the joint effect of the projection and of the linearization corresponds to the 
function tjj used in |43} page 96] to project a firing in the combined net to a firing sequence 
in the host net. Now we can say that this is simulated in W 2 by 



I S ^j. _i ^ 

v 2 => FjH / 2 . . . => FjH / 2 =^> ¥ W2 . . . => F VK2 V ' 2 



namely 



s i o 

v 2 =^F,W2 — > F,iy 2 =^F,w 2 • • • 

0, + s k+l 

■ • • =^f,vk 2 — > F,w 2 =^F,iy 2 =^F,iy 2 — > F,iy 2 =^F,iy 2 • • • 

+s k+h o , 

■ • • =^F,W 2 ► F,W/ 2 =^F,W 2 v 2 

which in turn (since — Si and + Sj firings can be clearly postponed and anticipated, respec- 
tively) can be reorganised as 

— «i ~sk +s fe+i +s k+h / 

V 2 =^F,Wa ^,W 2 ■ ■ ■ y F,W 2 * F,W 2 ■ ■ • ► F,VK 2 =^F,iy 2 V 2 

and thus finally to 

12 o , 

V2 =>F,W2 => F,W 2 ^^F,W 2 V 2 

where £ 2 = (©f = i +si) © (©f=i ~~ sj- Then we can proceed exactly as in the proof for step 
bisimilarity. CD 
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Figure 7: Two pushouts of open nets for the comparison to CCS. 
4.3. Comparison to CCS. 

We now give some hints as to why weak (firing) bisimilarity is a congruence in the case of 
open nets, but not in CCS [25]. Remember that a classical counterexample for CCS is as 
follows: pi = r.a.O « a.O = p2, but q\ = r.a.O + 6.0 96 a.O + 6.0 = q2- The reason for the 
latter inequality is that q\ can do a r and become a.O, while q2 cannot mimic this step. 

Fig. [7] shows a similar situation of nondeterministic choice for open nets, where r is the 
only unobservable label. However, note that here the two nets Z\ (corresponding to r.a.O) 
and Z'y (corresponding to a.O) are not weakly firing bisimilar. Whenever the r-transition 
is fired in Z\, resulting in the marking mi, this can not be mimicked in Z[ by staying idle, 
since then in Z[ a transition with label — 8 i is possible, while a transition labelled — Sl is 
not possible for the net Z\ with marking m\. Also note that the places s\ respectively s' x 
must be output open in order to allow composition with the net Z<i- 

Roughly, this means that for open nets we are always able to observe the first invisible 
action in an open component, which is reminiscent of the definition of observation congru- 
ence in CCS: two processes p, q are called observation congruent if they are weakly bisimilar, 
with the additional constraint that whenever the first step of p is a r-action, then it has to 
be answered by at least one r-action of q (and vice versa). In both settings it is only the 
first r-action that can be observed but not the subsequent ones. 



5. Some Proof Techniques for Bisimilarity 

We next present some properties of (strong and weak) bisimilarity, which can help in 
bisimilarity proofs. We first show that the set of open places can be uniformly reduced 
without altering the equivalence of open nets. Then we provide an up-to technique for 
firing bisimilarity. 

We start by showing that given two bisimilar nets, if we "close" corresponding open 
places in both nets we still get two bisimilar nets. Given an open net Z and an open place 
s € 0|, let us denote by Z — (s,x) the open net obtained from Z by closing place s, i.e., 
Z' = (N, Oz>), where O x z , = 0% — {s}. The initial marking remains the same. 

Proposition 5.1 ("closing" open places). Let Z\ ~* Z<i, with x G {F,S}. Let s € Og 

(x € { — ,+}) be an open place in Z\. Then the nets Z\ — (s,x) and Z2 — (n(s),x) are 
r]-x-bisimilar. 
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Proof. Let Z[ = Z\ — (s, x) and Z 2 = Z 2 - (rj(s),x). Let 3? C Sf x S 2 be an 77-x-bisimulation 
such that (ui, ^2) G 01. Then 31 is a bisimulation between Z[ and Z 2 . In fact, if (ui, 112) G 01 

and u± ^ x ,z[ u 'i then clearly u\ ~> x ,Zi Since 3? is a bisimulation for Zi and Z2 this 
implies that w 2 ==? x ,z 2 w 2 w ith (itj_, 1*3) G 31. Since £ is a label in Z{ where place s has been 

closed, we are sure that x s G" £, and thus u 2 ==y- x ,z 2 u 2 implies 112 ==^ x ,z! 2 u> 2- Hence we get 
the desired result. □ 

We next provide a kind of up-to technique for firing bisimilarity. Given an open net Z, 
let us define the out- degree of a place s G S as the maximum number of tokens that the 
firing of an extended event can remove from s, formally: 

deg(s) = max ({( : t G T z } U {1 : s G O z }) 

The idea, formalised by the notion of up-to bisimulation, is to allow tokens to be 
removed from input open places, when they exceed the out-degree of the place. More 
precisely, given a net Z and a marking u G S®, let us say that a marking v G is 
subtractable from u if Vs G 0%. v(s) < max{ii(s) — deg(s),0}. Note that when the number 
of tokens in a place s does not exceed its out-degree, i.e., u(s) < deg(s), then v(s) = 0, 
i.e., no token is subtractable from s. If instead, u(s) > deg(s), then the tokens in s which 
exceeds the out-degree of s can be safely subtracted from s. It is clear that when v is 
subtractable from u, all transitions enabled in u are also enabled in u © v. Note that the 
empty marking is subtractable from any other marking. 

Definition 5.2 (up-to firing bisimulation). Let Z\ and Z 2 be open nets, and let 77 : Oz 1 «-> 

Oz 2 be a correspondence between Zi and Z2. A relation 3J C 5® x 5® between markings 
is called an up-to rj-F -bisimulation if whenever (ui,u 2 ) G 31 then 

• if tii ^f,Zi then there exist markings u 2 such that u 2 =^f,z 2 an d w i e ® 
subtractable from n' l5 with (it^ fi,u 2 Gt?®(ui)) G 3£; 

• the symmetric condition holds. 

That is, the intuition behind up-to bisimulations is that some tokens might be super- 
fluous since they are not necessary to fire a transition. Hence in the bisimulation game they 
can be removed in the two successor markings. 

A first technical lemma shows an invariance property of up-to F-bisimulations, with 
respect to adding tokens in open places. 

Lemma 5.3. Let Z\ and Z2 be open nets, let r\ : Oz x <-> Oz 2 be a correspondence between 
Z\ and Z2, and let 3? be an up-to rj-F -bisimulation between Z\ and Z 2 . Then 

(1) given any s G 0% , the relation 01 s = 01 U {(ui © s, U2 © v( s )) '• u 2) G 31} is an up-to 
77-F -bisimulation. 

(2) 01' = 3lU{(niffiui, U2®rj®(vi)) : (u\,U2) G 3? A v\ G 0% ®} is an up-to rj-F -bisimulation. 

Proof. 1. In order to simplify the notation, let us assume, without loss of generality, that 77 
is the identity (i.e., = Oj 2 and 0% = 0^ 2 )- 

Let {u\ © s,U2 © s) G 01 s . Let us show that if u± © s ~>f,Zi n 'i then there exists 

«2 © s =>F,z 2 u 2 an< i v e subtractable from u[ with (n^ Qv,u 2 Qv) G 3? s . The other 
cases are completely analogous. 

Observe that, since s G 0% , we have 
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u l ^F,Zi Ul © S. 

By definition of ft s , we have (7/1,1x2) G ft and thus 

^2 ^F,z 2 u 2 and («l©s6 «A u'2 © V ') G ft' 



s 



(5.1) 



for a suitable G subtr actable from © s. Also notice that, since a + s can always 
be performed, we can assume that the firing sequence (|5.1h is of the kind 



Now, if ui © s "^f,Zi n 'i i then, since t> ' is subtractable from u\®s, also ui © s © u' ~>f,Zi 
tti © v'. Thus, by ([57TD 



for a suitable v" G 0% , subtractable from rxi Qv'. 

Putting the above together with (j5.2[) . we have that 

£ 
U 2 © S =>F,Z 2 u 2 =^F,Z 2 «2 © v ' 

i.e., xx 2 © s =^?v,z 2 u 2 © w ' and > if we denote u' 2 = u 2 © (u^ © «' © v", xx' 2 Qv' Q v") G ft s . 
It is immediate to see that v' © v" is subtractable from u^, and thus we conclude. 

2. By an inductive reasoning, exploiting point 1, we can show that the relation ft„ = 
ftU {(-ui ©ui, U2 ©f/®(vi)) : (^1,^2) G S A t?i 6 0% ffi A |«i | < n} is a r/-F-weak bisimulation 
up-to for any n. Then we exploit the fact that the union of weak bisimulations up-to is 
again a weak-bisimulation up-to. □ 

We can finally prove the soundness of the up-to technique. 

Proposition 5.4. Let Z\ and Z 2 be open nets, and let rj : Oz 1 Oz 2 be a correspondence 
between Z\ and Z 2 . Let ft 6e an up-to rj-F -bisimulation. Then for any {u\,u 2 ) G ft we have 
that (Z\,ui) (Z 2 ,u 2 ). 

Proof. In order to simplify the notation, let us assume, without loss of generality, that rj is 
the identity (i.e., 0% = 0~^ 2 and = 0% 2 ). 
Let us show that 



By Lemma I5.3I we know that ft' is an up-to bisimulation, and thus there exists a 




(5.2) 




(5.3) 



{(ui Qv,u 2 Qv) : (ui,u 2 ) G ft A v G (Ot) } 




transition 



XX2 ffi V =>F,Z 2 U 2 



and v' G , subtractable from u[, such that (u[ ?/, xx 2 © v ') ^ ft'- However, by 

construction of ft', this implies that 



KiX 2 ) eft' 

as desired. □ 
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As it often happens with up-to techniques, the above result might allow to show that 
two nets are firing bisimilar by exhibiting finite relations (while bisimulations are typically 
infinite). E.g., consider the open nets on the right, where label a is observable. Then any 
firing bisimulation would include at least the pairs 
{(k ■ s,k ■ s) : k £ N}, where s is the only place. In- 
stead, according to the definition above {(0, 0), (s, s)} 
is an up-to bisimulation. 

Note that, instead, the up-to technique does not extend to step bisimilarity: since 
an unbounded number of tokens can be needed to fire a parallel step there is no obvious 
generalisation of the notion of subtractable marking. 

6. Reconfigurations of Open Nets 

The results in the previous sections are used here to design a framework where a system 
specified as a (possibly open) Petri net can be reconfigured dynamically by transformation 
rules, triggered by the state/shape of the system. The congruence results allows one to 
characterise classes of reconfigurations which preserve the observational behaviour of the 
system. 

6.1. Behaviour Preserving Reconfigurations of Open Nets. 

The fact that the composition operation over open nets is defined in terms of a pushout con- 
struction suggests naturally a way of reconfiguring open nets by using the double-pushout 
approach to rewriting |14j . 

A rewriting rule over open nets consists of a pair of morphisms in ONet: 

p = L p ^ K p "% R p 

where L p , K p , R p are open nets, called left-hand side, interface and right-hand side of the 
rule p, and l p , r p are open net embeddings. Intuitively, the rule specifies that, given a net 
Z, if the left-hand side L p matches a subnet of Z then this can be reconfigured into Z' by 
replacing the occurrence of L p with the right-hand side R p , preserving the subnet K p . 
The notion of transformation is formally defined below. 

Definition 6.1 (open net transformation). Let p be a rewriting rule over open nets, let Z 
be an open net and let m : L p — > Z be a match, i.e., an open net embedding. We say that Z 
rewrites to Z' using p at match m, denoted Z =^P< m Z' or simply Z =4» p Z 1 ', if the diagram 
of Fig. E][a) can be constructed in ONet, where both squares are pushouts, and morphism 
n is composable with both l p and r p . 

We stress that we are interested in transformations where the two pushout squares 
are built from composable arrows (technically, this ensures that the transformation can be 
performed in Net and then "lifted" to ONet). 

We can now characterise the rules which do not alter the observational behaviour of an 
open Petri net as the rules with bisimilar left and right-hand side. 

Definition 6.2 (behaviour preserving rules). A x-behaviour preserving rule (x £ {F,S}) is 
an open net rewriting rule p such that L p R p , where rj = (r p o l p 1 )\o Lp - 
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(a) (b) 

Figure 8: Transforming open nets through DPO rewriting. 

Then the next result is an easy consequence of Theorem 14.51 

Theorem 6.3 (behaviour-preserving reconfigurations). Let p be a x-behaviour preserving 
rule (x £ {F, S} ^. Given an open net Z, if Z =>P> m Z' via a match m : L p — > Z , then 
Z « x Z'. 

Proof. Just observe that, in the DPO diagram of Figure 0(a), since the arrows l p , n and r p , 
n are composable, we can apply Theorem 14.51 to conclude that Z ~ x Z'. O 

For instance, consider the double-pushout diagram in Fig. [8](b) . It can be easily seen 
that the left- and right-hand sides of the applied rule are strongly (step) bisimilar. Hence 
we can conclude that Z and Z' are strongly (step) bisimilar as well. 

6.2. Applying Rules to Open Nets. 

As it is common in the categorical approaches to (graph) rewriting, the notion of open 
net transformation proposed in Definition 16.11 is rather "declarative" in style, because it 
requires the existence of two pushouts in category ONet, without stating how they can 
be constructed, and under which conditions. A more explicit description of the conditions 
under which a rule can be applied to an open net and of the way the resulting net can be 
constructed, is clearly necessary for practical purposes. Looking at Fig. EJa), given a rule p 
and a match m : L p —* Z, in order to build the open net transformation: 

• The pushout complement of L and m must exist. The resulting arrows n and d must 
be such that l p and n are composable. A necessary condition for the existence of the 
pushout complement is a sort of dangling condition: a place can be deleted only if all the 
transitions connected to this place are removed as well, otherwise the flow arcs of this 
transition would remain dangling. This ensures that the pushout complement exists and 
is unique in the underlying category Net, but, as discussed below, it is not sufficient, in 
general, to conclude the existence of the pushout complement in ONet. 
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(a) 



(b) 



O 



1 z 


D 


1 Z 


" D 


r Z 


a b 


b 


so i 




s : 

o : 



Figure 9: (a),(b) A pushout complement in Net which cannot be lifted to ONet and (c) 
A situation in which the pushout complement is not unique in ONet. 



Additionally, there can be several pushout complements and in this case a canonical 
choice should be considered. 
• The resulting arrow n must be composable with r p : then we know how to build Z' by 
Proposition 12.31 

Unfortunately, although a general theory of DPO rewriting has been developed recently 
in the framework of adhesive categories [19] , we cannot exploit it here since the category of 
open nets falls outside the scope of the theory. 

Next we analyse the conditions which ensure the applicability of open net rules. We 
will first consider the case of general, possibly non-behaviour preserving rules. Then we will 
instantiate the developed theory to the setting of behaviour preserving rules, which turns 
out to be simpler and more intuitive. The reader which is not interested in the general case 
can safely skip it. 



6.2.1. Applying General Rules. In this section we develop general results concerning the 
applicability of a rewriting rule to an open net. Given an open net Z, a rule p and a match 
m : L p — > Z, we first focus on the existence of the pushout complement in ONet. As 
mentioned above, a first necessary condition is a sort of dangling condition, which, however, 

It is easy to 



in general, is not sufficient. Consider, for instance, the diagram in Fig. 9(a) 



realise that the only place in D must be input open since an additional transition is attached 
to such place in Z. However, the resulting diagram is not a pushout in ONet: since the 
places in L p and in D are input open also their image in Z should be input open. Similarly, 
the diagram Fig. |9(b)| is not a pushout in ONet, although the underlying diagram is a 
pushout in Net, since place s of Z should be input open. 

Moreover, in the case of general rules, the pushout complement in ONet might not be 
unique. In fact, whenever, as in Fig. 9(c) , there is an open place in K p whose image is not 
open in L p (and thus neither in Z), then the corresponding place in D can be either open 
or not. For instance, the diagram in Fig. 9(c) admits two possible pushout complements 



consisting of an open net D with a single place s which can be or not input open. 

Under additional requirements it is possible to prove the existence of a minimal pushout 
complement D, i.e., a pushout complement which embeds into any other and which is taken 
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as a canonical choice. Roughly, the minimal pushout complement is the maximally open 
one: whenever a place could be either open or not, it is taken to be open (in Fig. 9(c) , this 
corresponds to take the pushout complements D with place s input open). 

Lemma 6.4 (existence of the pushout complement). Let p be a rewriting rule over open 
nets, let Z be an open net and let m : L p — > Z be a match. Assume that 

(1) for all places s £ L p — l p {K p ) we have 'm(s),m(s)' C m(L p — l p {K p )); 

(2) m(l p (\n(l p )) n 0+ ) C 0+ and m(l p (out(l p )) nO Lp )CO z ; 

(3) m(Of p - l p (0 Kp )) C Of for x G {+, -}. 

Then the pushout complement exists in Net, defined as D = Z — m{L p — l p {K p )), com- 
ponentwise over the place and transition sets, and it can be lifted to a minimal pushout 
complement in ONet by taking as input open places: 

+ D = d-\0 + z )VJn{0+ v -0 + Lp ) 

Output open places are defined analogously. The initial marking iio is defined by ud{s) = 
uz(d(s)) for any place s G Sp. 

Proof. The proof is long, but straightforward. We have already motivated the dangling 
condition above. In order to understand condition 2, observe that, roughly, a place s of L p 
is in l p (\r\(lp)) if applying the rule p the place is preserved but at least one transition in *s 
is removed. Since the rule deletes an input transition from m(s) - the image of s in Z - 
the corresponding place in D belongs to in(<i) and thus it must be input open. Therefore 
if s is open also in L p , necessarily, by the construction of pushout in ONet, m(s) must be 
open in Z. Similarly, for condition 3, if a place is open in L p and it is not in the image of 
K p then necessarily it will be open in Z. 

Formally we have to show that (a) the mappings n and d are well-defined open net 
morphisms, (b) l p and m are composable and (c) Z is the pushout. Minimality of the 
pushout complement then follows by construction, 
(a.l) n is a well-defined open net morphism. 

Let us prove that n _1 (0^) U in(n) C O k (the condition on output open places is 
analogous). If s G n~ x (0^) we have two possibilities according to the way Op is 
defined. 

— If n(s) G d _1 (0^) then d(n(s)) G 0\. Since don = mol p and mol p is a well-defined 
open net morphism, we deduce that s G 0~^. 

— If n(s) G n{0^ — 0~l), since n is injective, we have that s G 0\ — C O^. 

If instead s G in(n) then m(l p (s)) G in(m o l p ). S ince m o l p is an open net morphism, 
we conclude s G , as desired. 

Concerning the initial marking, note that for any s G Sk we have uk(s) = 
uz{m{l p (s)) = ur)(d(n(s)) = ud(s), where the last equality holds by construction. 

(a. 2) d is a well-defined open net morphism. 

Also in this case we only prove that c^^O^) U \n(d) C Op (the condition on output 
open places is analogous). If s G <i -1 (0^) then s G by definition. If, instead, 
s G m(d) then it is easy to see that there exists s' G Sk such that s' G \n(l p ) C O k . 
Now, there are two subcases: 



32 



P. BALDAN, A. CORRADINI, H. EHRIG, R. HECKEL, AND B. KONIG 



- If Ip(s') G we have that s' G / p (in(/ p ))nO^ and thus m(s') G m(l p (\n(l p ))nO^) C 
O^ by condition 2. Since <i(s) = m(s') we deduce that s G d _1 (0^) C by 
construction of D. 

- If /p(s') C£ then s' G — 0\, and thus n(s') G n(0+ - Oj) C Oj, by 
construction of D. 

The condition over the initial marking is trivially satisfied by construction. 

(b) n and l p are composable. 

We show the two conditions for composability separately: 

- n(in(/ p )) C 0+ 

In fact, if s G in(/ p ), then it is easy to see that m(l p (s)) G \n(d) C Oj. Now, 
m(l p (s)) = d(n(s)) and, since d is an open net morphism, it must reflect open 
places, and thus n(s) G Oj. 

- lp(\n(n)) C 0+ 

If s G / p (in(n)) then, it is easy to see that s G in(m) C 0+, as desired. 

(c) Z is the pushout. 

We know that Z is the pushout of n and l p in Net. We have to prove that it is also 
a pushout in ONet. 

Concerning the set of open places we have to show that 

Of 2 {s G S z : m- 1 (s) C O x L A rf-^s) C Of,}. 
Then the converse inclusion, and thus equality, follows from the fact that m and d are 
open net morphisms. 

Let s G Sz such that there are s' G O^ and s" G Oj such that m(s') = s = d(s"). 
Thus, there is s'" G Sk such that l p (s"') = s' and n(s"') = s" . 

Since s" G Oj, then either s" G <i _1 ( z) or s " G n (°x ~ Since s ' G °L and 

l p (s'") = s', the second possibility cannot arise. In the first case s = d(s") G Oj, as 
desired. 

When s is only in the image of D, the proof is analogous. When it is only in the 
image of Lp, we can use condition 3 in the hypothesis. □ 

Summarizing, condition 1 of Lemma 16.41 is a dangling condition. By the remaining con- 
ditions, if a place s in L p is open, and the rule prescribes either the deletion of incom- 
ing/outgoing transitions from such place (condition 2) or the deletion of the place itself 
(condition 3), then the image of s in Z must be open. Examples of what fails when condi- 
tions 2 and 3 are violated can be found in Fig. 9(a) and |9(bj| 



It is worth observing that in the case of rules p such that morphism l p preserves open 
places, i.e., l p {O x Kp ) C 0£ p for x G {+, — }, the above result ensures the existence of a unique 
pushout complement. 

Given a match m : L p — > Z as in the proposition above, the transformation can be 
completed if n : K p — > D and r p : K p — > R p are composable. For this we need to suitably 
restrict matches. 

Definition 6.5 (proper match). Let p be a rewriting rule over open nets and let Z be an 
open net. A match m : L p — > Z is called proper if it satisfies conditions 1, 2, and 3 in 
Lemma 16.41 and 

(4) for any s G K p , if s G in(r p ) — in(Z p ) then m{l p (s)) G 0%; 

(5) r p (Z- 1 (in(m)))CO+ , 
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Figure 10: Examples of non-proper matches violating (a) condition 4 and (b) condition 5. 

plus the dual conditions on output places. 

Intuitively, a match is proper if whenever s G L(in(r p )), i.e., the rule p creates a 
new (ingoing) transition connected to place s, then m(s) is (input) open (condition 4). 
Additionally, input (output) places for the match which are preserved by the rule must 
be input (output) open in R p . An example in which condition 4 is violated can be found 
in Fig. 10(a) For place s in K p we have s G \n(r p ), since transition t is added in R p , but 
s G" in(Zp). Note that the mapping from D to Z' is not a valid open net morphism, since 



place s in D is not open. In Fig. 10(b) instead is condition 5 which is violated. Place s of 
L p is in in(m), it is preserved by the rule, but the corresponding place in R p is not open. 
Again we cannot complete the DPO step since the mapping from R p to Z' is not a valid 
open net morphism (place s should be input open in R p ). 
We finally arrive at the desired result. 

Lemma 6.6 (applying general rules). Let p be a rule over open nets, let Z be an open net 
and let m : L p — > Z be a proper match. Then there exists a transformation Z =^P' m Z' . 

Proof. Let p be a rule over open nets, let Z be an open net and let m : L p — > Z be a proper 

match. Then, by using Lemma 16.41 we can construct the minimal pushout complement of 

l p and m, as in Fig. 15(a). 

In order to conclude, it suffices to show that n and r p are composable. To this aim 

observe that by properness of the match: 

• n(\n(r p )) C 0+ (and the same condition holds for out(.)) 

In fact, let s £ i n ( r p) We distinguish two possibilities. If s € in(L) then necessarily 
n(s) G \n(d) and thus n(s) G Oj, since n is an open net morphism. If instead, s ^ in(Z p ), 
then s G in(r p ) — in(/ p ), hence, by condition 4 of Definition 16.51 m (lp(s)) £ 0\. Since 
m(l p (s)) = d(n(s)) and d is an open net morphism, we conclude that also in this case 
n(s) G 0+. 



(in(n)) 



r p (l 



(in(m))) C (and the same condition holds for out(.)) 



Immediate by condition 5 of Definition 16.5 



□ 
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6.2.2. Applying Behaviour Preserving Rules. Sufficient hypotheses which ensure the appli- 
cability of behaviour preserving rules are made explicit in the following statement. This is 
a corollary of the general theory of transformations for open nets developed before. 

Corollary 6.7 (applying behaviour preserving rules). Let p be a x-behaviour preserving 
rule, let Z be an open net and let m : L p — » Z be a match such that: 

a. for all s £ L p — l p {K p ) we have *m(s) U m(s)* C m(L p — K p ); 

b. for all s £ K p , if s £ \n(l p ) and l p (s) £ 0~£ then m(l p {s)) £ 0\; 

c. for all s € K p , if s £ in(r p ) — in(/ p ) then m(l p {s)) £ 0\; 

and the dual of the last two conditions, obtained by replacing in() by out() and + by — , hold. 
Then, there exists a transformation Z =>P> m Z' . 

Proof. This is an easy consequence of Lemma 16.61 We need to show that conditions (a)- 
(c) ensure that the match m is proper, i.e., it satisfies conditions 1-5 of Lemma [6.41 and 
Definition 16.51 

Condition 1 is the same as condition (a), condition 2 is just a compact notation for 
condition (b) and condition 4 is exactly condition (c). Concerning condition 3, observe 
that, since p is a behaviour preserving rule then (r p o l~ 1 )\o Lp is a correspondence between 
the left- and right-hand side. This means that for any place s in 0£ p there must be a place 
s' in K p such that l p (s') = s, and, by definition of open net morphism s' must be open, i.e., 
s' £ . Therefore 0£ p C l p (0^ p ) and thus condition 3 is trivially satisfied. Similarly, for 

condition 5, observe that, by definition of open net morphisms, in(m) C , and, thus 

rpCZ-Xm))) c r p (l~ \0+ p )) = 0+ p . 

The last equality is justified by the fact that p is behaviour preserving, and thus, as observed 
above, [r p o l~ 1 )\o Lp is a correspondence between L p and R p . □ 

The intuition underlying the conditions above is the following. Condition (a) is a typical 
dangling condition, which we have already commented. Condition (b) says that if s £ \n(l p ), 
i.e., if some (ingoing) transitions are deleted from s then the image of s in Z must be (input) 
open if so is its image in L p . Finally, by condition (c), if s £ in(r p ) — \n(l p ), i.e., the rule 
p creates a new (ingoing) transition connected to place s, without replacing any old one, 
then the image of s in Z must be (input) open. 

As an example, consider again the DPO diagram in Fig. [8jb). It is not difficult to see 
that the rule and the match satisfy the conditions of Corollary 16.71 Hence we can complete 
the double-pushout construction transforming Z into Z', as depicted in the same figure. 

6.3. Modeling Dynamic Reconfigurations of Services. 

Open nets allow us to specify a system as built out of smaller components. Then, its 
behaviour is captured by the firing or step behaviour of the open net. However, for highly 
dynamic systems, as mentioned in the introduction, it can be useful to have the possibility 
of specifying that, under suitable conditions, some structural changes or reconfigurations 
of the system can take place. For instance the invocation of a service could trigger a rule 
which provides an implementation of the required service. 

The theory of open net reconfigurations can do the job. As an example, consider net Zq 
in Fig. [12] which models the view of a traveller on the journey planning and ticket purchase 
services offered through a travel agency portal. 
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Figure 11: Rules 

We distinguish abstract transitions representing services that should be provided else- 
where and concrete transitions representing local services and control flow actions. The 
invocation of an external service can be seen at different levels of abstraction. From the 
point of view of the client process it is just the firing of an abstract transition. At a lower 
level of abstraction, it is captured by a rule such as the one at the top of Fig. [TTT An 
application of this rule, replacing the abstract transition by a new open net, models the 
discovery and binding of the concrete services required. The left- and right-hand sides of 
the rule are weakly firing (actually, also step) bisimilar if we observe only the interactions 
at the open (interface) places, i.e., if we take A T = A. This can be seen as a proof of the 
fact that the bound service meets the requirements: both in the abstract transition and in 
its concrete counterpart any inquiry will produce a corresponding itinerary. 

The rule at the bottom of Fig. [IT] represents a case where a simple pattern is replaced 
by a richer one. On the left we say that, given an itinerary, we can either purchase the 
required tickets or cancel the processes. On the right the transaction is refined, adding a 
prior reservation phase, while keeping the option to cancel. As above, the rule has weakly 
firing (and step) bisimilar left- and right-hand sides, ensuring that the visible effect of the 
abstract and concrete transitions at the interfaces is the same. 

A possible sequence of transformations is shown in Fig. [12] By Theorem 16. 3[ we are 
sure that the transformations do not change the observable behaviour of the system, i.e., 
the start and end nets are weakly bisimilar, a fact that can be interpreted as a proof of 
conformance of the provided service with respect to the abstract specification. 

We have shown only a small example application, however, we believe that this tech- 
nique can be applied to larger case studies, such as the banking scenario studied in [T2]. In 
order to do this automatically, it would be necessary to implement mechanized bisimulation 
checking procedures. For finite state spaces, this is quite straightforward, for infinite state 
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Figure 12: Transformation of open nets representing a travel agent's portal. 



spaces we could resort to the techniques presented in [15J. In any case the up-to technique 
presented in Section [5] will be very useful for practical case studies. 

Another relevant question is the following: which kind of bisimilarity should be used? 
While strong firing bisimilarity is conceptually the simplest behavioural equivalence, practi- 
cal examples usually require weak bisimulations in order to abstract from internal or silent 
moves. Finally, step bisimulation is able to distinguish processes that differ with respect 
to the degree of concurrency. This can be relevant if the observer is able to distinguish 
different degrees of parallelism or if we take into account efficiency questions. 



7. Conclusions and Related Work 

Open nets, introduced in [21 [3], are a reactive extension of standard Petri nets which 
allows to model systems interacting with an unspecified environment. 

As mentioned in the introduction there is a vast related literature. A close conceptual 
relationship exists with the early studies on modular construction and refinement techniques 
(see, e.g., [371 E3 I2H1 HI] ) and on composition operators and compositional semantics for 
Petri nets (see, e.g., [U [9j El |36] ) . The last class comprises also the algebraic approaches to 
Petri nets which view the class of Petri nets as a category and, characterising the semantics of 
interest as a universal constructions, automatically deduce the compositionality for suitably 
defined operators [5711351123] . 

More recent approaches, which focus more explicitly on the definition of notion of 
module and interface and where the reactive aspects are taken into account in the semantics 
can be classified roughly into two classes. Some approaches aim at defining a "calculus of 
nets" , where a set of process algebra-like operators allow one to build complex nets starting 
from a set of predefined basic components. In this family, the papers [291 [33] propose 
an algebra of (labelled) Petri nets with interfaces, consisting of public (input) places and 
(output) transitions, with operators which allow e.g., to add new transitions and places, to 
connect existing public transitions and places by new arcs, to hide items in the net. We also 
recall the Petri Box calculus PHI EE1 [J7] , where a special class of safe nets, called plain boxes, 
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provides the basic components, which are then combined by means of (refinement-based) 
composition operators. Another family of approaches can be classified as "component- 
oriented": the emphasis, rather than on the algebraic aspects, is put on the mechanisms 
which allow one to build larger systems by combining nets with clearly identified interfaces. 
For instance the book [33] proposes a technique for inserting a net, called daughter net, into 
a so-called host net. The composition is realised by joining the two nets along a predefined 
set of places, playing the role of open places. The distinction between input and output 
open places, absent in [33], instead is later considered in [45J. A compositionality result is 
proved for language equivalence and a notion of bisimilarity, very close to ours, is defined. 
Interestingly, the same book also focuses on an alternative approach to net composition, 
based on an operation of synchronised parallel product in the style of [38]. Such operation, 
roughly speaking, joins two nets by forcing the synchronisation of transitions with the same 
label. Other members of the "component-oriented" family are, for example, the Petri net 
components |16j and the nets with pins [5]. We also recall workflow nets |38] which have 
been proposed as a formal model for the description of workflows, i.e., business processes 
specified in terms of tasks and shared resources. Workflow nets are special Petri nets 
satisfying suitable conditions, like the existence of one initial and one final place: tokens 
in such places characterise the start and the end, respectively, of the represented process. 
The model has been extended for the specification of interorganisational workflows [39], 
represented as a set of workflow nets connected through additional places for asynchronous 
communication and synchronisation requirements on transitions. Additional references, as 
well as a detailed comparison between the approaches to Petri net composition and reactivity 
just cited and the open net model can be found in [4j. 

In this paper, firstly we have generalised the theory of open nets, including the char- 
acterisation of net composition using pushouts, to the case of marked nets. Next we have 
introduced several natural notions of bisimilarity over open nets, showing that weak bisimi- 
larities, arising in the presence of unobservable actions, and, as a particular case, also strong 
bisimilarities are congruences with respect to the colimit-based composition operation over 
open nets. The considered notions of bisimilarity differ for the choice of the observations. 
These can be single firings, thus leading to what we called firing bisimilarity, a standard 
notion of interleaving equivalence, capable of capturing the branching structure of compu- 
tations. Alternatively, we can observe parallel steps, thus obtaining step bisimilarity, which 
allows to capture, to some extent, the degree of parallelism that is possible in a component. 
This can be useful, e.g., when a component is replaced by another one since we might be 
interested in taking a replacement that exhibits at least the same concurrent behaviour and 
is hence equally efficient. 

In recent years, reactive extensions of Petri nets have been obtained by exploiting a 
general theory of reactive systems developed for automatically deriving bisimulation con- 
gruences. Specifically, an encoding of Petri nets as bigraphical reactive systems has been 
proposed in [27], while [35] proposes an encoding of nets as reactive systems in the cospan 
category over an adhesive category. Our results about strong firing bisimilarity can be seen 
as a generalisation of those in [2T|, 135]. which essentially are developed for a special kind of 
open nets, where there is no distinction between input and output open places. Further- 
more the composition operation used in the cited papers does not allow synchronisation of 
transitions (technically, the interface net does not contain transitions). 

Concerning weak step bisimilarity, some connections seem to exist with the work on 
action refinement, which goes back to [37] . For example, in [33] (weak) step bisimilarity is 
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shown to be a congruence with respect to a refinement operation which allows to replace 
a single event with a deterministic finite event structure. Although the setting is different 
and a direct comparison is not possible, we observe that, compared to refinement-based 
approaches, where single transitions are refined by a subnet, the theory presented here 
works for general reconfigurations, in which both the left- and right-hand sides can be 
general, arbitrarily large nets. 

Weak (step) bisimilarity for Petri nets is studied also in [29]. They observe that such an 
equivalence is not a congruence in general, but for Petri nets satisfying a suitable condition 
on the labelling of the public transitions (well-labelled nets), a context closure allows one 
to get a congruence which is then characterised by means of a universal context. The 
setting is different from ours since the issue of net composition is tackled at a finer level 
of granularity: the basic components of a net are assumed to be transitions with empty 
pre- and post-set and single places, which are then combined by means of constructors that 
allow one to connect places and transitions. Still it would be interesting to understand if a 
formal relation can be established, e.g., trying to internalise the pushout-based composition 
operation in the algebra of connectors of [29J. 

Similarities exist also with the problem studied in [11] . where a reactive Petri net 
model which admits a compositional behavioural equivalence is exploited, in the framework 
of web-services, to provide a theoretical basis to service composition and discovery. This 
technique is then used in a case study for checking the correctness of service specifications 
and the replaceability of services in a banking scenario [12J. Disregarding the technical 
differences, such as the fact that the mentioned paper deals with C/E nets and the use of 
read arcs, the kind of nets of interest for this approach are essentially a subclass of open 
Petri nets, satisfying some structural requirements (all labels are invisible and the interface 
consists of a single input and a single output place, plus some read places). Generally 
speaking, compositional Petri net models appears to be promising as a formalism for the 
specification of control and composition in service oriented architectures as suggested, e.g., 
in [HI [22l HOI [23] . Investigating possible applications of (reconfigurable) open Petri nets, 
along the lines of the presented example, in the setting of web-service specification and 
analysis represent a stimulating direction of future research. 

In the second part of the paper we have proposed a rewriting-based framework for 
Petri nets with reconfigurations. We have shown how our congruence results can be used 
to identify classes of reconfigurations which do not alter the observational behaviour of the 
system. This is applied to a small case study of a workflow-like model of a travel agency, 
where we showed how abstract services can be replaced by more concrete implementations 
and how we can ensure that the behaviour of the full net is preserved under such operations. 

Action refinement of Petri nets (see, e.g., [371 ESI [23 SI] ) , that we already mentioned 
above, can be seen as a special form of reconfiguration. The idea of using rewriting tech- 
niques for providing a reconfiguration mechanism for Petri nets has been already explored 
in the literature (see, e.g., reconfigurable nets of [2j [2TJ and high-level replacement systems 
applied to Petri nets in [31]). In this approaches, however, the emphasis is more on rewrit- 
ing as a computational mechanism, rather than on the study of the way the behaviour 
of the system is affected by the reconfigurations. In future work, besides deepening the 
relationships between these approaches and ours, we will continue studying the notion of 
reconfigurable open nets and describe in more detail how reconfigurations can be triggered 
by the net itself, for example by reaching certain markings or by firing certain transitions, 
following an intuition similar to that of dynamic nets [13j . 
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Finally, it would be worth studying whether a formal duality can be established between 
our morphisms and standard simulation morphisms for Petri nets. Viewing our morphisms 
as inverses of (partial) simulation morphisms would allow to get a precise correspondence 
between our pushout-based composition and pullback-based synchronisation of Petri nets. 
Surely by simply taking Winskel's morphisms [17] this does not work (technically because 
when they are undefined on a transition they must be undefined on the corresponding pre- 
and post-set). Also more general morphisms for Petri nets, like those proposed in \42\ 17], 
would not provide an immediate solution. Still, it looks feasible to identify generalisations 
of such morphisms to the context of open Petri nets allowing to develop a dual theory based 
on simulations. 

Acknowledgement: We would like to thank the referees for their insightful and detailed 
comments. 
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